Logon Failure - Where is the culprit IP.

G

Guest

Hi All,

I am getting 529 Errors multiple times in day on different domain
controllers. How can I find Which machine or IP Address is the generator of
it.
Event Log Details - Event I 529. Category Logon/Logoff

Logon Failure:
Reason: Unknown user name or bad password
User Name: User1
Domain: Domain1
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: DC1

I tried the Network monitor but could not get anythig of it. I need some
pointers or help to some documents/procedures/Tools or ideas.

Thanks
IK
 
L

Lanwench [MVP - Exchange]

Workstation: DC1.

Is that a machine on your network? If not, do you have a good firewall in
place to protect your network from the Internet?
 
K

Karl Levinson [x y] mvp

The only way to get the culprit IP is to use a firewall, sniffer or router
logs [possibly with a free syslog client like www.kiwisyslog.com].
www.sygate.com and www.kerio.com are more or less free firewalls. Ethereal
is a free sniffer. You would need to manually try to correlate the IP /
firewall logs with your windows event logs, or you can use a free tool like
NTSYSLOG to spit both logs into one syslog in realtime for easier
correlation.
 
G

Guest

Thanks for the reply.

The security team is quite on thier toes always and they have blocked all
access to internal networks.
I am using NTsyslog to forward my logs to a syslog server. I will check with
my security team to correlate firewall logs wth Windows Sec Logs.

Meanwhile I want to know what should I look for in the Network Monitor.
Secondly, is it possible that a machine with 2 NIC's can present itself with
the First NIC IP address.

Thanks
IK

Karl Levinson [x y] mvp said:
The only way to get the culprit IP is to use a firewall, sniffer or router
logs [possibly with a free syslog client like www.kiwisyslog.com].
www.sygate.com and www.kerio.com are more or less free firewalls. Ethereal
is a free sniffer. You would need to manually try to correlate the IP /
firewall logs with your windows event logs, or you can use a free tool like
NTSYSLOG to spit both logs into one syslog in realtime for easier
correlation.


Hi All,

I am getting 529 Errors multiple times in day on different domain
controllers. How can I find Which machine or IP Address is the generator of
it.
Event Log Details - Event I 529. Category Logon/Logoff

Logon Failure:
Reason: Unknown user name or bad password
User Name: User1
Domain: Domain1
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: DC1

I tried the Network monitor but could not get anythig of it. I need some
pointers or help to some documents/procedures/Tools or ideas.

Thanks
IK
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Event Viewer - Security - Reports "Failure Audit" 2
DC cannot connect to itself 1
Event Viewer "Failure Audit" 6
Faliure Audits from nowhere 1
Please help me in resolving the logon type 2 1
0x80070569: Logon failure: the user has not been granted the requested logon type at this computer. 1
Logins coming from macosx 4
Windows XP logon failure 3

Top